Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Advertisements

Crustyoldbloke

Posted 22 June 2005 - 08:28 AM

Crustyoldbloke

Old Malware Surgeon with a shaky scalpel

Retired Staff

15,130 posts

Hello migr and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which may not allow you to access the internet, or my instructions!

You have quite a mixture of malware and Trojans that need to be eradicated, at least one is known for its tenacity; please be patient. Let’s see what we can do with the first sweep in which I will deliberately add on the first part of the second fix in order to save time..

Firstly could you please disable SpySweeper from running during the fix, it may just hinder our attempts to change anything.

To start please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop:

Right click on this link Del 015 Domains.inf and choose Save (link) As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards

Go to Start>Run and type Services.msc then hit OKScroll down and find this service:

System Startup Service (SvcProc)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on Properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then OK.

Run HiJackThis. Click on None of the above, just start the program. Now, click on the Config button (bottom right), then click on Misc Tools, then click on Delete an NT Service a window will pop up. Enter this item into that field (copy and paste):

SvcProc

Click OK.

It should pull up information about the service, when it asks if you want to reboot now click YES

Please open the trial version of Ewido Security Suite, and update the definitions to the latest files. Do NOT run a scan yet.

Please install Nailfix, unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:1) Restart your computer2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.3) Instead of Windows loading as normal, a menu should appear4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:

*Extract the programme to your desktop and double-click on its folder, then double-click on Killbox.exe to start the programme.*In the Killbox programme, select the Delete on Reboot option.*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" at the reboot now prompt..

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click download and run missingfilesetup.exe. Then try TheKillbox again.

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, update it, check the default setting in the left-hand pane, Analyze, Run Cleaner. You may be fairly surprised by how much it finds.

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log, and I'll clean up what's left.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

Firstly could you please disable SpyKiller from running during the fix, it may just hinder our attempts to change anything.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot into safe mode. Here's how:

Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should appear where you will be given the option to enter Safe Mode.

Please set your system to show all files; please see here if you're unsure how to do this.

Please delete this folder (if present) using Windows Explorer:

E:\Program Files\Cas\

Close Windows Explorer.

Please install Killbox by Option^Explicit.

*Extract the programme to your desktop and double-click on its folder, then double-click on Killbox.exe to start the programme.*In the Killbox programme, select the Delete on Reboot option.*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" at the reboot now prompt..

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click download and run missingfilesetup.exe. Then try TheKillbox again.

Now we must hide the files we revealed earlier by reversing the process, this is an important safeguard to stop important system files being deleted by accident.

Please delete your temporary files.

Double Click My Computer(WinXP: Navigate to Start >My Computer)

You will see an icon representing your harddrive (most likely C: Drive) Right Click on the hard drive icon and click Properties at the bottom of the fly out window.

On the very first tab (General) you will see a button labelled "Disk Cleanup"...click that button.

Make sure the following are checked:Downloaded Program FilesTemporary Internet Files andRecycle BinClick OK and Disk Cleanup will delete those files for you.

Next, go to Start>Run>type in %temp% hit Enter and delete the content of all the temp folders shown (only the content, not the folder).

Post back a fresh HijackThis log and the L2M log and I will take another look.

migr

Posted 22 June 2005 - 05:43 PM

migr

Member

Topic Starter

Member

10 posts

I'm probably revealing my ignorance by asking this, but I don't have any programs actually called SpyKiller; the programs I have are SpySweeper, SpyBot, AVG, and Ewido. Which of those, if any, do you want me to disable?

migr

Posted 22 June 2005 - 07:30 PM

migr

Member

Topic Starter

Member

10 posts

Okay, I think I know why you told me to disable SpyKiller - because it shows up on the HijackThis log - but it doesn't seem to exist anymore on the computer, so maybe it was installed a long time ago and then deleted. It's definitely not running, though, so I decided to go ahead and do the rest of what you said.

Registry Entries that were Deleted: Please verify that the listing looks ok. If there was something deleted wrongly there are backups in the backreg folder. ****************************************************************************REGEDIT4

And HijackThis: (By the way, I noticed that "O4 - HKLM\..\Run: [KavSvc] E:\WINDOWS\system32\rukmma.exe reg_run" was still there, so I tried to delete it, but when I restarted my computer, it was back again.

Crustyoldbloke

Posted 23 June 2005 - 01:46 AM

Crustyoldbloke

Old Malware Surgeon with a shaky scalpel

Retired Staff

15,130 posts

Hello again Miriam

I was rather hoping that you had VX2 only, but from your description and the evidence I see, you have another one called Narrator, which we’ll deal with now. It is looking a lot better however. The SpyKiller programme is indeed showing up in your log as a Start-Up procedure, however, it was not there in the first log when I spotted SpySweeper. Since HJT is a snapshot of part of your registry, I have to go with the evidence. We’ll remove the entry this time to see what happens.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

*Extract the programme to your desktop and double-click on its folder, then double-click on Killbox.exe to start the programme.*In the Killbox programme, select the Delete on Reboot option.*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" at the reboot now prompt..

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click download and run missingfilesetup.exe. Then try TheKillbox again.

Reboot normally, and then please check to see if E:\WINDOWS\system32\rukmma.exe has been deleted. If it still present, then carry out these additional instructions:

Download rkfiles and unzip the contents to a new folder on your desktop.Download remv3.zip Make a new folder on the root drive C:\ and unzip remv3.zip files into it.

Run CCleaner programme now and logoff.

REBOOT TO SAFE MODE. These tools MUST be run in Safe Mode!Once in safe mode, double click rkfiles.bat file to run it. It will scan for a while, so please be patient. Wait until the DOS window closes. Open the C:\log.txt it created and rename it log1.txt.

Now open the folder where you saved remv3.zip files and double click the rem.bat file and let it run (please be patient, the window will close when done). It will delete the files and remove the infection and then make a log of the files it finds. The log file will be C:\log.txt and bad1.txt

**Note** Each tool uses log.txt as it’s output file so make sure you save the entries from one tools log before running the other as it will overwrite the file if you don’t.

Reboot back to normal mode and post the contents of both the log.txt and log1.txt in your next post., together with a fresh HijackThis log and I will take another look.

migr

Posted 23 June 2005 - 02:21 PM

migr

Member

Topic Starter

Member

10 posts

An interesting thing happened. When I first tried to find the rukmma.exe file, from my user, I couldn't find it - but when I switched over to the Administrator user, I did find it. However, when I tried to delete it, it wouldn't let me, and when I ran it through KillBox as you said I should, upon rebooting, it was back - but again, I could only see from the admin user, not from mine, even though I double-checked that I had revealed all files. I decided, therefore, to run the programs again from the admin user, just in case that would make a difference, but the log files were exactly identical.

Part One:

E:\Documents and Settings\Miriam\Desktop

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. Files Found in system Folder............ ------------------------E:\WINDOWS\system32\PSof1.exe: UPX!E:\WINDOWS\system32\ugdzvyr.exe: UPX!E:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............ ------------------------Files Found in all users windows Folder............ ------------------------Finishedbye

Part Two:

The batch is run from -- C:\remv3

Files Found.................----------------------------------------

Files Not deleted.................----------------------------------------

Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting----------------------------------------------------------------- Volume in drive E is NTFS-XP Volume Serial Number is 0CB8-D717

Crustyoldbloke

Posted 23 June 2005 - 03:06 PM

Crustyoldbloke

Old Malware Surgeon with a shaky scalpel

Retired Staff

15,130 posts

Hello again Miriam

Thanks for the note about Users. Please carry out all instructions whilst logged on as Administrator, or a user with administrator rights. The new log is exactly as I thought it would be, the Narrator still being present due to other unseen rogue files.

BTW, I will need to see logs from all users, since all have different registries.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [KavSvc] E:\WINDOWS\system32\rukmma.exe reg_run

Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot into safe mode. Here's how:

Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should appear where you will be given the option to enter Safe Mode.

Please set your system to show all files; please see here if you're unsure how to do this.

*Extract the programme to your desktop and double-click on its folder, then double-click on Killbox.exe to start the programme.*In the Killbox programme, select the Delete on Reboot option.*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" at the reboot now prompt..

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click download and run missingfilesetup.exe. Then try TheKillbox again.

Now we must hide the files we revealed earlier by reversing the process, this is an important safeguard to stop important system files being deleted by accident.

Post back a fresh HijackThis log (from each user, make it obvious to me) and I will take another look.

migr

Posted 23 June 2005 - 05:21 PM

migr

Member

Topic Starter

Member

10 posts

READ MY NEXT POST FIRST, PLEASE!(I don't want you to waste any of your time, in case the latest development means what I think it means.)

Something weird happend when I tried to delete the rukkma.exe file. At first when I tried to find it on my user, I couldn't, as mentioned before, but when I looked for it in the Admin user, I found it - but it wouldn't let me delete it. So I looked at the file's properties, and checked to make sure that the admin had the right permissions - and I noticed a way to switch the file's "ownership" - and I saw that it was currently set on my user. So I switched it to the Admin user - and it promptly disappeared! When I went back to my own user, it had suddenly appeared there instead. I switched ownership back to my own user - and it promptly disappeared again, but I was able to now find it again through the Admin user. At this point, I decided to try something else. I used ewido security suite to end its process that was running, as well as to delete it from the list of files that run on startup, and when I tried to delete it again, it deleted - but it reappeared a couple of seconds later. When I deleted it the second time, it didn't reappear, and I went ahead and followed the rest of the steps - but as you can see, it is still appearing in all of the users hijackthis logs.

Also, in case this is relevent, the pop-ups that have been showing up lately seem to be from something called the "web nexus network" (listed in tiny print at the bottom) and also sometimes have the name "emarketmakers" at the top.

On to the logs:

1. My user (the one that most - or all - of the logs until now have been from):

2. The admin user (and just in case this is relevent, this user appears very, very different during a normal startup and a safe mode startup. It has a different name, even a different password, and is missing all of its desktop icons during safe mode startup):

6. Just in case this is relevant, we still have Windows 98 on this computer, with stuff stored on it (its files are accessible from 98 through a link). It's virtually never actually opened up, but just in case, I ran one last hijackthis over there as well:

Advertisements

Crustyoldbloke

Posted 23 June 2005 - 05:26 PM

migr

Posted 23 June 2005 - 06:28 PM

migr

Member

Topic Starter

Member

10 posts

Good news! I think I've gotten rid of it. I noticed that the popups recently (since getting rid of the other stuff) all had something saying "Web Nexus Network" on the bottom, with a little link saying (in tiny lettering) "uninstall". I decided to take the risk that it was genuine (because it was so unassuming) and clicked it, and it led me to the web-nexus site, and offered an uninstall program. I decided (again) to risk it, because I was getting really fed up with the amount of time it's been taking to get rid of this thing, so I took a deep breath and downloaded and ran the program, then rebooted as told - and when I ran another Hijackthis log, it seems to be clean. But of course, I'm not the expert, so I'm posting it here for you to check over one last time.

So far, I haven't gotten any pop-ups. What do you think? (If you have time, could you take a quick look at the above logs as well, the one that I ran for the other users on my computer, to make sure that no one else has anything there that shouldn't be?)

Crustyoldbloke

Posted 24 June 2005 - 02:04 AM

Crustyoldbloke

Old Malware Surgeon with a shaky scalpel

Retired Staff

15,130 posts

Hello Miriam

Looking at your latest HJT log for user 1, (yourself), that is a clean log. With regard to the other users, Nos. 2 - 5, the common theme is narrator, ergo if that is now gone then they should also be clear of that infection however User 4 also needs a file deletion. Here is the fix:

USER 4:

Reboot into Safe Mode: please see here if you are not sure how to do this.